[agent] chore(deps): bump form-data to 4.0.6 via npm overrides#787
Draft
github-actions[bot] wants to merge 1 commit into
Draft
[agent] chore(deps): bump form-data to 4.0.6 via npm overrides#787github-actions[bot] wants to merge 1 commit into
github-actions[bot] wants to merge 1 commit into
Conversation
Add npm overrides to pin form-data >= 4.0.6, patching CRLF injection vulnerability (GHSA-hmw2-7cc7-3qxx / CVE-2026-12143). form-data is a transitive dependency pulled in by axios, jsdom, superagent, and @types/node-fetch. None of the direct dependencies have yet shipped a release that resolves this transitively, so an override is used as the immediate remediation. Fixes Dependabot alert #280. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Patches GHSA-hmw2-7cc7-3qxx / CVE-2026-12143 — CRLF injection in
form-datavia unescaped multipart field names and filenames (CWE-93, CVSS 7.5 / 8.7).Change
Added an
overridesentry in the rootpackage.jsonto pinform-datato>=4.0.6, and rannpm install --package-lock-onlyto updatepackage-lock.jsonaccordingly.The lockfile now resolves
form-dataat 4.0.6 (was 4.0.5).Why an override?
form-datais a transitive dependency; the direct dependents in this repo (axios,jsdom,superagent,@types/node-fetch) all declare^4.0.xranges but have not yet shipped a release that pulls in ≥4.0.6. Anoverridesentry is the correct npm mechanism to force the patched version until upstream releases catch up.Dependabot alerts addressed
form-dataGHSA-hmw2-7cc7-3qxx (CVE-2026-12143)